DocsConfigure SSO with OneLogin
This guide is intended for Admins setting up SSO SAML with OneLogin. OneLogin is a cloud-based identity and access management solution.
When you configure Single Sign-on (SSO) with OneLogin, your users will be able to create and sign into their Baserow accounts using OneLogin.
If you are looking for information on setting up SSO with other providers:
- Configure Azure AD for SAML SSO
- Configure Okta for SAML SSO
- Configure Google for OAuth 2 SSO
- Configure Facebook for OAuth 2 SSO
- Configure GitHub for OAuth 2 SSO
- Configure GitLab for OAuth 2 SSO
- Configure OpenID Connect for OAuth 2 SSO
Single Sign-On feature is a part of the Baserow Enterprise offering. Instance-wide features are only available on the self-hosted Enterprise plan. To learn more about the Baserow enterprise plan, visit our pricing page.
Here’s how to set up OneLogin to sign in to your Baserow account.
Set up SSO SAML with OneLogin
Log in to your OneLogin account as an administrator. Click Administration on the toolbar to go to the Admin panel.
To add apps to your company app catalog, go to Applications > Applications from the admin page then click on Add App:
Search and select the SAML Custom Connector (Advanced):
Enter Baserow as the Display Name of the new app, and make sure Visible in portal is on. Upload icon and add a description to the new SAML connector.
Click Save. You’ll find a new left-side navigation menu after saving. Click Configuration in the sidebar menu.
Next, log in to Baserow. Go to the Admin > Authentication > Provider. Retrieve your Default Relay State URL and Single Sign On URL from your Baserow admin settings modal, following the steps in this guide.
In OneLogin configuration tab, paste your Baserow Default Relay State URL in the RelayState field.
Paste your Single Sign On URL in the next four fields as shown below.
| Baserow value | Corresponding OneLogin Configuration field |
|---|---|
| Default Relay State URL | RelayState |
| Single Sign On URL | Audience (EntityID) |
| Single Sign On URL | Recipient |
| Single Sign On URL | ACS (Consumer) URL Validator* |
| Single Sign On URL | ACS (Consumer) URL* |
Convert your Single Sign On URL into a regular expression and paste that into the ACS (Consumer) URL Validator* field. For information on regular expression, visit this link. Add the required symbols in the ACS (Consumer) URL Validator* field as shown in the picture below to make it a valid regex:
Set the next set of configuration fields as shown below:
| OneLogin field | Value |
|---|---|
| SAML initiator | OneLogin |
| SAML nameID format | |
| SAML issuer type | Specific |
| SAML signature element | Both |
| SAML encryption method | AES-128-CBC |
| Generate AttributeValue tag for empty values | ☑ |
| SAML sessionNotOnOrAfter | 1140 |
Once you’re done, click Save to store the app settings.
After saving, click on the Parameters tab. Then, click the + icon to add 3 custom parameters.
Assign the following field names and check **Include in SAML assertion. Click Save to go to the next screen then select the corresponding values from the dropdown:
| Field name | Value |
|---|---|
| user.email | |
| user.first_name | First Name |
| user.last_name | Last Name |
Set the parameters that will be sent in the SAML response with values as shown below:
Once you’re done, click Save.
To configure the SAML provider in Baserow, you’ll need to download the SAML metadata from the “More Actions” menu in the Applications tab as shown below:
After you’ve accessed the information from the SAML Metadata, copy and paste the information from OneLogin into Baserow.
Connect OneLogin to your Baserow Account
Head back to Baserow Admin > Authentication > Provider.
Configure OneLogin by inputting the domain and metadata information into the corresponding fields in your Baserow Admin Dashboard, following the steps in this guide.
You should be able to log in with OneLogin after completing these steps by visiting your Baserow servers login page. Your users will now be taken to a OneLogin sign-in flow when they attempt to log into Baserow. After logging in with their OneLogin credentials, they will be redirected to the app.
Add users to access OneLogin
You can grant your users access to the newly created application, either by adding to individual Users or by adding to Roles or Workspaces within OneLogin, depending on how you prefer to manage your Users there.
To add users to this application, click on Users in the top bar menu item.
Go to Users > Users and click the New User button to open the User Info page. On the User Info page, verify that the user is activated. Enter the user’s name and email address, along with any other personal information you want to include. Click the Save User button.
Understanding Baserow’s authentication system
By default, Baserow restricts users to logging in only with the same authentication method they used for signing up. For instance, if a user creates an account with a username and password, they won’t be able to log in through SSO without further configuration.
Troubleshooting error for SSO Login
You might encounter an error message — “Something went wrong: please use the provider that you originally signed up with” — when you attempt to log in via SSO.
This error message indicates a conflict between your initial sign-up method and your attempt to log in via SSO after initially signing up for Baserow with a username and password.
Here are the primary options to address this error:
Option 1: Enable multiple authentication methods
Set the environment variable BASEROW_ALLOW_MULTIPLE_SSO_PROVIDERS_FOR_SAME_ACCOUNT=true. After setting this variable, restart the Baserow instance. This allows users to log in with either a password or SSO.
This option increases security risk, especially if you have multiple OAuth providers enabled. An attacker who gains access to a user’s account on any external provider could potentially use that access to log in to the associated Baserow account.
For optimal security, we recommend maintaining consistent authentication methods unless necessary. If enabling multiple login methods is essential, implement additional security measures to mitigate potential risks.
Option 2: Maintain consistent authentication method
Users can continue logging in with the authentication method they signed up with. This avoids changing Baserow’s default behavior and maintains existing security measures.
Option 3: Delete user from Admin panel and re-login via SSO
You can delete the user from the Baserow admin panel. Upon logging in via SSO, Baserow will recreate the user, automatically setting SSO as their default authentication method.
Deleting the user permanently removes all their associated data within Baserow. This option should only be considered if data loss is acceptable and after ensuring all data is backed up elsewhere.
Always prioritize data security when modifying your authentication settings.
Related content
- Single Sign On (SSO) overview.
- Baserow Enterprise plan.
- Enable SSO in the admin panel.
- Email and password authentication.
Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions—we’re ready to assist you.
Contact support for questions about Baserow or help with your account.